Fair Use: Please note that use of the Netcraft site is
subject to our Fair Use and Copyright policies. For more information,
please visit http://www.netcraft.com/about-netcraft/fair-use-copyright/,
or email info@netcraft.com.

Criminals launch mass phishing attacks against online dating sites

Criminals are running massive dedicated phishing campaigns against online
dating sites, marking an interesting – but not unusual – shift in focus from the traditional
phishing targets such as banks and other financial institutions. The most recent
attack used a single compromised website to host hundreds of fraudulent PHP
scripts, most of which were designed to steal usernames and passwords from users
of the most popular dating sites.

It is likely that the criminals who steal
accounts on these sites will go on to use them to commit online dating fraud — many
dating sites only allow messages to be exchanged with other users after a
subscription fee has been paid; by compromising existing paid accounts, the
fraudsters can reduce their traceability by avoiding the need to make payments.

Part of one of the fraudulent scripts

Online dating
fraud is often orchestrated by criminal gangs who use fake profiles to trick
victims into developing long distance relationships. Once the fraudsters have
gathered enough sympathy and trust from a victim, they will exploit this by
claiming they need money to pay for travel costs, or to afford medical treatment
for a family member. After the money has been stolen, the criminals will make up
further reasons why they need more money. In some cases, the fraudsters
blackmail their victim into sending money - if the victim has sent any explicit
photos or videos to the criminals, they may threaten to send them to the
victim's friends and family.

The amount of money involved in these scams can be considerable. In 2011, a
woman in Britain was tricked into sending
more than $59,000 to a pair of fraudsters who pretended to have inherited
millions of dollars from a military friend in Nigeria. The fraudsters - who were
actually a mother and daughter in America - managed to net
more than a million dollars before being jailed in 2013.

While many online dating sites take measures to identify fake profiles,
phishing for genuine established accounts gives fraudsters the edge. If a
legitimate profile has been in active use for several months without cause for
concern, then compromising this profile will allow the fraudster to benefit not
just from the plausible appearance of the profile, but also take over several
ongoing conversations. The real owner of the hijacked account will have already
done the hard bit by establishing dialogues with other members on the site,
possibly gaining enough trust to allow the fraudsters to strike immediately with
success.

The latest attacks make use of a phishing kit which contains hundreds of PHP scripts, configured to send stolen credentials to more than 300
distinct email addresses. More than half of these addresses used the yahoo.com
domain, while gmail.com was the next most common choice. Although most of the
fraudster's scripts target online dating sites, some of them are also designed
to steal credentials from users of these webmail platforms. Email accounts are
often shut down after the provider notices they have been used for fraudulent
purposes, so ensuring a fresh supply of compromised accounts gives fraudsters
the opportunity to send even more phishing emails before the accounts get
closed.

The
phishing kit contains over 300 PHP scripts, most of which target online dating
sites.

An attacker would typically deploy the phishing kit by uploading a
zip file to a compromised web server and unzipping the tree of contents into a
writable directory. Similar kits uploaded over the past few months have used various file names, such as moving.zip, send.zip, orokionline.zip, amioroki.zip and samoroki.zip. Each script within these kits is very similar in
terms of functionality — they simply collate a set of POST parameters into the
body of an email message, and then send it to two or more email addresses. The
subject of the email is modified to describe what type of credentials are in the
email (e.g. "MATCH ID & PASSWORD"), and after the emails have been sent, the
victim is redirected to an appropriate URL on the target website, such as
http://www.match.com/login/login.aspx?lid=2.

Each compromised server which hosts these scripts acts merely as a "dropsite"
in the fraudsters' phishing campaigns. Rather than displaying any phishing
content, the server simply accepts values that have been submitted from
elsewhere, such as a form hosted on another website or within a phishing email.
The victim is then immediately redirected to the legitimate website, most likely
without realising that his credentials have just been transmitted to a different
website.

Some of the scripts are also designed to steal credentials from Photobucket
users, possibly so the fraudsters can host photos and other images to further
their scams. It is not unusual for fraudsters to encourage their victims to
migrate to instant messaging software or even text messages instead of
continuing to chat on a dating site, which could be monitored to prevent such
fraud.